Blog by Lawrie Abercrombie, Arcanum’s Technical Director
This month, the UK’s National Cyber Security Centre is hosting an event titled “The Safety and Cyber Security of Industrial Control Systems”. One of the topics is an attack on a Saudi Arabian oil and gas plant.
In September 2016 Mandiant, FireEye’s cyber incident response and forensic investigation arm, was called in to deal with a malware infection at a Saudi refinery, partly owned by the state-backed petroleum company Saudi Aramco.
The malware they discovered, now known variously as TRITON; TRISIS; HATMAN and TEMP.Veles, had been used to force a Schneider Electric Safety Instrumented System (SIS) to malfunction, automatically shutting down many Industrial Control Systems (ICS) throughout the plant. TRITON hit the news again in late October as FireEye reported¹ that they have identified a Russian government-owned technical research institute, the Central Scientific Research Institute of Chemistry and Mechanics located in Moscow, as being inextricably linked to the development and field testing of the TRITON malware.
TRITON is the fifth known malware family designed to cause physical damage on ICS networks, the others being:
• STUXNET malware attacked the Iranian nuclear fuel processing industry in 2010;
• HAVEX attack in 2014 targeted energy and utilities companies through spam e-mails and compromised vendor websites;
• BLACKENERGY2 malware targeted specific ICS products from specific vendors used in critical infrastructures during 2014;
• INDUSTROYER attack on Ukraine’s power grid in 2016 was the first ever known malware specifically designed to attack electrical grids.
According to the US Department of Homeland Security’s ICS Computer Emergency Response Team (CERT)² TRITON / TRISIS / HATMAN “surpasses all four with the ability to directly interact with, remotely control, and compromise a safety system, a nearly unprecedented feat”.
However, TRITON is the first to specifically target a safety system as opposed to the more generic Supervisory Control and Data Acquisition (SCADA) systems attacked by its predecessors. SIS controllers are special equipment installed in production lines and other industrial setups. They read data streams from industrial equipment such as factory machinery, robots, valves and motors etc, and act as a fail-safe, triggering alarms to restore the plant to a safe state or safely shut it down to protect lives and equipment. An example would be where the SIS monitors gas pressure via sensor inputs and turns off the flow when it exceeds a specified pressure threshold.
Dragos, an industrial cybersecurity firm, has been tracking the activities of eight hacker groups³.
The three most prominent are the Russia-linked Allanite group which emerged in 2017 targeting electric utilities in the US and UK, the Iran-linked Chrysene which also emerged in 2017 attacking ICS networks in the Middle East and the UK and an unaffiliated group it named Xenotime which has been focused on Oil & Gas in the Middle East since at least 2014. It believes the latter was responsible for the TRITON attacks in Saudi Arabia. The recent FireEye report suggests that Xenotime is backed by, if not part of the Russian State.
In the next part of this series, we will discuss the ICS cyber kill chain, analyse the TRITON attack in more detail and suggest appropriate mitigation measures where well-placed defences could thwart an attack on an ICS system.
² US DHS NCCIC ICS-CERT MAR-17-352-01 HATMAN-Safety System Targeted Malware dated 18 December 2017
Lawrie Abercrombie M.Inst.IISP is the Technical Director at Arcanum IS Ltd, a specialist Cyber Security Consultancy working with Businesses, Government and Defence Industry. One of few Lead Security & Information Risk Advisors certified by the UK’s National Cyber Security Centre, Lawrie works in both the Public and Private sectors specialising in risk management for IT and OT projects.